Integrating Microsoft 365 with Eventtracker

Integration Guide

Integrating Microsoft 365 with EventTracker

EventTracker v9.3 and above

Publication Date:

September 13, 2021

Abstract

This guide provides instructions to configure Microsoft 365 to generate logs for critical events. After EventTracker is configured to collect and parse logs, then dashboard and reports can be configured to monitor Microsoft 365 usage. Scope

The configuration details in this guide are consistent with EventTracker version 9.3 and later and Microsoft 365. Audience

IT Admins, Microsoft 365 administrators and EventTracker users who want to forward logs to EventTracker Manager and monitor events using EventTracker.

Table of Contents Table of Contents ...... 3 1. Overview ...... 4 2. Prerequisites ...... 4 3. Configuring Microsoft 365 to Forward Logs to EventTracker ...... 4 3.1 Creating User and Application with Microsoft 365 Integrator ...... 4 3.2 Creating User and Application without Microsoft 365 Integrator ...... 8 3.2.1 Assigning Compliance Management Permission to a Microsoft 365 User ...... 10 3.2.2 Registering Application with your Azure Active Directory Tenant...... 13 4. Verifying Microsoft 365 Integration ...... 19 5. Microsoft 365 Error ...... 19 6. EventTracker Knowledge Pack (KP) ...... 21 6.1 Alert...... 21 6.2 Reports ...... 24 6.3 Dashboard...... 26 7. Importing Knowledge Pack into EventTracker ...... 45 7.1 Alerts ...... 46 7.2 Knowledge Objects ...... 46 7.3 Reports ...... 48 7.4 Dashlets ...... 49 8. Verifying Knowledge Pack in EventTracker ...... 51 8.1 Alerts ...... 51 8.2 Knowledge Object...... 52 8.3 Reports ...... 52 8.4 Dashlets ...... 53 About Netsurion ...... 54

1. Overview EventTracker knowledge pack for Microsoft 365 captures important activities in Exchange and Azure Active Directory. Monitoring these activities is critical from a security aspect and is required for compliance and operational reasons. The dashboards, reports help in getting insights to analyze various security use cases like login activities from different countries, changes in user permission, spam and malicious email detection and mailbox auditing. EventTracker detects and alerts a spoofed email from the received emails.

EventTracker helps you to monitor day to day activities of Microsoft 365 Exchange like mailbox storage usage and summary of mail traffic.

2. Prerequisites • EventTracker v9.3 or above should be installed.

• PowerShell 5.0 should be installed on the EventTracker Manager.

• Microsoft 365 service account should have Report Reader Role and Compliance Management permission. Click here for instructions.

• Ensure Auditing is enabled on your tenant. Click here for Instructions.

• The app should be registered in Azure AD with Office 365 Management API and Microsoft graph API permission. Click here for Instructions.

• Enable the following URL, if there is any web filter or firewall in between:

o https://graph.microsoft.com o https://login.windows.net o https://manage.Microsoft.com • At present for Microsoft 365 GCC, GCC High and Dod customer, we do not have message trace monitoring support. • As Microsoft keep updating Event types. Click here for all event type details.

3. Configuring Microsoft 365 to Forward Logs to EventTracker 3.1 Creating User and Application with Microsoft 365 Integrator Follow these steps to create user and application with Microsoft 365 integrator:

1. Download the Microsoft365Integrator.exe on a system having EventTracker agent. 2. Save Microsoft365Integrator.exe and run the executable file Microsoft365Integrator.exe. (After launching an integrator, it checks for PowerShell compatibility. If found compatible, the integrator allows you to configure Microsoft 365. Otherwise, update PowerShell on the machine.)

Note: You can create a user with Compliance Management and Report Reader permission through an integrator as well.

3. Click Create User and Application for Integration provide the appropriate Username/password and click Create. 4. Click Create to provide global administrator credentials for creating a user.

5. Install AzureAD modules of PowerShell, for creating user. Integrator tries to install this module. If this module fails to install, then create user and application manually. If you have GCC or DoD Microsoft Office 365 subscription, do not create User as at present, we do not have support for it. 6. Click Create Application to create Microsoft graph and Office 365 Management APIs, enable the app in Azure AD and then click OK. If you want to create a Microsoft Graph app manually, follow the step mentioned here.

7. Launch the browser for granting the permission for the application. Login with global admin credential and click Accept.

8. Accept the permission, close the browser tab, and go back to Integrator. 9. Click Validate to review user and application configuration.

10. Click Save. It will check the subscription, fetch organization details, and save the configuration. Microsoft Office 365 is integrated with EventTracker successfully. Check the logs in EventTracker manager console.

3.2 Creating User and Application without Microsoft 365 Integrator Follow these steps to create User and application without integrator. If the above steps are followed, then you may ignore the following steps.

1. Contact EventTracker Support for Microsoft 365 Integration package. 2. Save Microsoft365Integrator.exe and run the executable file Microsoft365Integrator.exe. (After launching the integrator, it checks for PowerShell compatibility. If it is found compatible, the integrator allows you to configure Microsoft 365. Otherwise, update PowerShell on the EventTracker Manager machine.)

3. Follow the Registering Application section, Assigning Compliance Management permission sections for application and user creation, respectively. Fill the details of User details and Application details.

4. Fill Microsoft 365 service account details having Compliance Management permission. Service account with administrative access is not required to fetch the logs and a normal service account with “Compliance Management” permission would suffice. For creating a service account with Compliance Management permissions, follow the instructions mentioned here. 5. Fill the details of the app registered in Azure AD with Microsoft graph and Microsoft 365 Management API permission. If the user does not have an app registered in Azure AD, follow the instructions mentioned here. 6. Provide the tenant ID for the enterprise. Follow the instruction mentioned here, if tenant ID is not known.

7. Fill EventTracker Manager textbox with EventTracker manager system IP or hostname. Provide EventTracker Group details where Microsoft 365 system should be placed. 8. After all details are provided in the Integrator validate button is enabled. Click Validate to verify the details provided. If the credential is proper, then the Save button is enabled or it will throw error. View the details of the error here 9. Click Save to complete the Integration.

3.2.1 Assigning Compliance Management Permission to a Microsoft 365 User For creating Microsoft 365 service account with Reports Reader and Compliance Management role permission, follow the below procedure. This procedure should be carried out by a user having Administrator rights in Microsoft 365.

1. Create the user (e.g., [email protected]) with the Reports Reader role. Follow the instructions here. 2. Click here to go to the Microsoft 365 admin center. 3. Go to the Microsoft 365 admin center by selecting the app launcher icon Microsoft 365 app launcher in the upper-left and choose Admin.

4. On the left, select Admin Centers and select Exchange.

5. On the left pane, select Permissions.

6. On the right pane, click Compliance Management and click on icon.

7. Scroll to Members and Click icon.

8. Select the Username (e.g., [email protected]) and click Ok.

9. Save the changes.

3.2.2 Registering Application with your Azure Active Directory Tenant If the application is not registered in Azure AD, follow the below procedure. This procedure should be carried out by a user having Global Administrator rights in Microsoft 365.

1. Sign in to the Azure portal. 2. If your account gives you access to more than one, click your account in the top right corner, and set your portal session to the desired Azure AD tenant. 3. In the left-hand navigation pane, click the Azure Active Directory service, click App registrations, and click New registration.

4. When the Create page appears, enter your application's registration information. • Name: Enter an appropriate application name (e.g., ETSIEMConnector). • Supported account types: Select Accounts in this organizational directory only. • Redirect URI: Select Web and Enter http://localhost.

5. Click Register. Azure AD assigns a unique Application ID to your application, and you are taken to the application's main registration page. Note the Application ID.

6. To add permission(s) to access resource APIs from your client, • Click the API Permissions section -> Add a Permission. • Click the Microsoft API tab to select the type of resources you need and select the Microsoft Graph.

7. After selecting the Microsoft Graph, add following application permissions. • Read your organization’s security events. • Read all usage reports. • Read all audit log data.

8. We need to select Office 365 Management API in the required permissions and select all application permission.

9. Click Grant admin consent after selecting permission. For granting permissions, the user(s) with Global Administrator privileges are required.

10. The application's main registration page display, to add a secret key for your web application's credentials. • Click the Certificates & secrets section on the Settings page. • Add a description for your key (e.g., ETKey). • Select Never from the expires section. • Click Add. The right-most column contains the key value after you save the configuration. Note the value generated, this is used in integrator as client secret.

Figure 24 Note the Application ID and Tenant ID after completing app configuration.

4. Verifying Microsoft 365 Integration After providing details in Microsoft 365 Integrator, follow the steps to verify the Microsoft 365 integration.

• Check if the following services are created in the machine and are running.

• Check the following schedule task.

5. Microsoft 365 Error Following is the error table for Microsoft 365.

Code Message Troubleshooting AF10001 The permission set ({0}) sent in the request did not include the expected permission ActivityFeed.Read. Check the permission on {0} = the permission set in the access token. application registered AF20001 Missing parameter: {0}. Contact the EventTracker {0} = the name of the missing parameter. support team AF20002 Invalid parameter type: {0}. Expected type: {1} {0} = the name of the invalid parameter. Contact the EventTracker {1} = the expected type (int, datetime, guide). support team AF20003 Expiration {0} provided is set to past date and time. Contact the EventTracker {0} = the expiration passed in the API call. support team AF20010 The tenant ID passed in the URL ({0}) does not match the tenant ID passed in the access token ({1}).

{0} = tenant ID passed in the URL Check the tenant Id provided {1} = tenant ID passed in the access token in Microsoft 365 form

Code Message Troubleshooting AF20011 Specified tenant ID ({0}) does not exist in the system or has been deleted. Contact the Microsoft Support {0} = tenant ID passed in the URL for troubleshooting the issue AF20012 Specified tenant ID ({0}) is incorrectly configured in the system. Contact the Microsoft support {0} = tenant ID passed in the URL for troubleshooting the issue AF20013 The tenant ID passed in the URL ({0}) is not a valid GUID.

Check the tenant Id provided {0} = tenant ID passed in the URL in Microsoft 365 form AF20020 The specified content type is not valid. Contact the EventTracker support team AF20021 The webhook endpoint {{0}) could not be validated. {1}

{0} = webhook address.

{1} = "The endpoint did not return HTTP 200." or "The Contact the EventTracker address must begin with HTTPS." support team AF20022 No subscription found for the specified content type.

AF20023 The subscription was disabled by {0}. Contact the Microsoft support {0} = "a tenant admin" or "a service admin" for troubleshooting the issue AF20030 Start time and end time must both be specified (or both omitted) and must be less than or equal to 24 hours apart, with the start time no more than 7 days in the past. Contact the EventTracker support team AF20031 Invalid nextPage Input: {0}. Contact the EventTracker {0} = the next page indicator passed in the URL support team AF20050 The specified content ({0}) does not exist. Contact the EventTracker {0} = resource id or resource URL support team AF20051 Content requested with the key {0} has already expired. Content older than 7 days cannot be retrieved.

Contact the EventTracker • {0} = resource id or resource URL support team AF20052 Content ID {0} in the URL is invalid. Contact the EventTracker {0} = resource id or resource URL support team AF20053 Only one language may be present in the Accept-Language Contact the EventTracker header. support team AF20054 Invalid syntax in Accept-Language header.

Code Message Troubleshooting AF429 Too many requests. Method={0}, PublisherId={1} Contact the EventTracker {0} = HTTP Method support team {1} = Tenant GUID used as PublisherIdentifier AF50000 An internal error occurred. Retry the request. Contact the EventTracker support team

6. EventTracker Knowledge Pack (KP) Once logs are received in EventTracker alert, reports and dashboards can be configured in EventTracker. The following knowledge packs are available in EventTracker v8.x and later to support Microsoft 365 monitoring. 6.1 Alert

• Microsoft 365 - Azure active directory login failure: This alert will trigger whenever Azure AD user is trying to login but fails. • Microsoft 365 - Exchange mailbox login failure: This alert will trigger whenever the mailbox user is trying to login but fails. • Microsoft 365 - Malicious email detected: This alert will trigger whenever some malicious mail is detected in Microsoft 365 Exchange. (This KP items is not available for GCC, GCC High or Dod Microsoft 365 subscription.) • Microsoft 365 - Spam email detected: This alert will trigger whenever spam mail is detected in Microsoft 365 Exchange. (This KP items is not available for GCC, GCC High or Dod Microsoft 365 subscription.) • Microsoft 365 - Threat detection: This alert will trigger whenever the Microsoft 365 ATP module detects malicious/suspicious activity in Exchange. • Microsoft 365 – Teams Bot Added to Team: This alert will trigger whenever the Microsoft 365 Teams detects any bot addition to a team. • Microsoft 365 – Teams Channel Deleted: This alert will trigger whenever any channel is deleted in Microsoft 365 teams. • Microsoft 365 – Teams External user detected in team/chat: This alert will trigger whenever any external user is detected by Microsoft 365 teams. • Microsoft 365 – Teams Organizational setting changed: This alert will trigger whenever any organizational settings are changed for Microsoft 365 teams. • Microsoft 365 – Teams Team Deleted: This alert will trigger whenever any team is deleted in Microsoft 365 teams. • Microsoft 365 – Teams User Role Changed to Team Owner: This alert will trigger when any non- owner member role is changed to team owner in Microsoft 365 teams. • Microsoft 365 - Security & compliance alerts: This alert will trigger when security & compliance alert policies detect suspicious activities in office environment. • Microsoft 365 - A potentially malicious URL click was detected: This alert will trigger when a Safe Links protected user in your organization clicks a malicious link. This event is triggered when URL

verdict changes are identified by Microsoft Defender for Office 365 or when users override the Safe Links pages. • Microsoft 365 - Creation of forwarding/redirect rule: This alert will trigger when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account. This policy only tracks inbox rules that are created using Outlook on the web (formerly known as Outlook Web App) or Exchange Online PowerShell.

• Microsoft 365 - eDiscovery search started or exported: This alert will trigger when someone uses the Content search tool in the security and compliance center. An alert is triggered when the following content search activities are performed: • A content search is started. • The results of a content search are exported. • A content search report is exported. Alerts are also triggered when the previous content search activities are performed in association with an eDiscovery case.

• Microsoft 365 - Elevation of Exchange admin privilege: This alert will trigger when someone is assigned administrative permissions in your Exchange Online organization. For example, when a user is added to the Organization Management role group in Exchange Online. • Microsoft 365 - Email messages containing malware removed after delivery: This alert will trigger when any messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using Zero- hour auto purge. • Microsoft 365 - Email messages containing phish URLs removed after delivery: This alert will trigger when any phish messages are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using Zero-hour auto purge. • Microsoft 365 - Email reported by user as malware or phish: This alert will trigger when users in your organization report messages as phishing email using the Report Message add-in. • Microsoft 365 - Malware campaign detected after delivery: This alert will trigger when an unusually large number of messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes. • Microsoft 365 - Malware campaign detected and blocked: This alert will trigger when someone has attempted to send an unusually large number of email messages containing a certain type of malware to users in your organization. If this event occurs, the infected messages are blocked by Microsoft and not delivered to mailboxes. • Microsoft 365 - Malware campaign detected in SharePoint and OneDrive: This alert will trigger when an unusually high volume of malware or viruses is detected in files located in SharePoint sites or OneDrive accounts in your organization. • Microsoft 365 - Messages have been delayed: This alert will trigger when Microsoft cannot deliver email messages to your on-premises organization or a partner server by using a connector. When this happens, the message is queued in Office 365. This alert is triggered when there are 2,000 messages or more that have been queued for more than an hour. • Microsoft 365 - Phish delivered due to tenant or user override: This alert will trigger when Microsoft detects an admin or user override allowed the delivery of a phishing message to a

mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain, or an anti-spam policy that allows messages from specific senders or domains. • Microsoft 365 - Suspicious email sending patterns detected: This alert will trigger when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. This is an early warning for behavior that may indicate that the account is compromised, but not severe enough to restrict the user. • Microsoft 365 - Tenant restricted from sending email: This alert will trigger when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending email. Investigate any potentially compromised user and admin accounts, new connectors, or open relays, and then contact Microsoft Support to unblock your organization. • Microsoft 365 - Unusual external user file activity: This alert will trigger when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. • Microsoft 365 - Unusual increase in email reported as phish: This alert will trigger when there is a significant increase in the number of people in your organization using the Report Message add-in in Outlook to report messages as phishing mail. • Microsoft 365 - Unusual volume of external file sharing: This alert will trigger when an unusually large number of files in SharePoint or OneDrive are shared with users outside of your organization. • Microsoft 365 - Unusual volume of file deletion: This alert will trigger when an unusually large number of files are deleted in SharePoint or OneDrive within a short time frame. • Microsoft 365 - User impersonation phish delivered to inbox/folder: This alert will trigger when Microsoft detects an admin or user override has allowed the delivery of a user impersonation phishing message to the inbox (or another user-accessible folder) of a mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain, or an anti-spam policy that allows messages from specific senders or domains. • Microsoft 365 - User restricted from sending email: This alert will trigger when someone in your organization is restricted from sending outbound mail. This typically results when an account is compromised, and the user is listed on the Restricted Users page in the Security & Compliance Center. • Microsoft 365 - Application modified: This alert will trigger when someone in your organization made modification in existing application. These changes might be suspicious, recently such changes are misused in SolarWinds attacks. • Microsoft 365 - Application role assigned: This alert will trigger when someone in your organization is assigned the role on existing application. These roles can allow user to make changes on organization, recently such changes are observed in SolarWind attacks. • Microsoft 365 - Consent on application: This alert will trigger when changes done on application are approved by administrators. Once changes are approved, application have authorization to get and post changes in Microsoft 365 using API. Recently in SolarWind attacks, such activities are observed. • Microsoft 365 - Login activities using SAML token detected: This alert will trigger when someone in your organization attempt to login using SAML token. • Microsoft 365 - Login activities using WinRM user agent: This alert will trigger when someone in your organization attempt to login using WinRM user agent. • Microsoft 365 - Mailbox login using PowerShell: This alert will trigger when someone in your organization attempt to login into Exchange mailbox using PowerShell. • Microsoft 365 - OAuth permission granted on application: This alert will trigger when Oauth permission is granted on application by someone in your organization.

• Microsoft 365 - Service principal credential modified: This alert will trigger when credential modification is detected on service principal of Microsoft 365. • Microsoft 365 - Service principal modified: This alert will trigger when changes happen on service principal user. Such changes recently are observed in the SolarWind attack. • Microsoft 365 - Set domain authentication: This alert will trigger when someone in your organization made changes in the domain authentication between standard identity and single -signs on. Such changes are observed in SolarWind attack for bypassing MFA. • Microsoft 365 - Set federation settings on domain: This alert will trigger when federation realm object for a domain is modified. Such activities are very rare in an environment and may indicate a threat actor preparing for golden SAML attack. • Microsoft 365 - Sensitive information detected in Mail: This alert is triggered when sensitive information matches with DLP Rule in Exchange. • Microsoft 365 - Sensitive information detected in SharePoint: This alert is triggered when sensitive information matches with DLP Rule in SharePoint. • Microsoft 365: User login failed due to MFA: This alert is triggered when user has failed to satisfy strong authentication requirement to login into Microsoft 365. • Microsoft 365: User MFA disabled: This alert is triggered when MFA is disabled to user. • Microsoft 365: CAS alerts has been triggered – This alert is triggered when Cloud App Security generates alerts like unusual addition of credential to an OAuth app, Block downloads on non- domain joined devices, etc.

6.2 Reports • Microsoft 365 - Activated user detail: This report will provide you information related to Microsoft 365 activated user, with what kind of OS is used to access Microsoft 365. • Microsoft 365 - Activation counts: This report will provide you an overall summary of Microsoft 365 activated license with what kind of OS is used to access Microsoft 365. • Microsoft 365 - Active user counts: This report will provide you an overall summary of the user who is active on Exchange, OneDrive, SharePoint, Skype for business, Teams, and Yammer. • Microsoft 365 - Azure active directory admin activities: This report will provide information related to Azure active directory admin activities like user management, group management, permission assigning, etc. • Microsoft 365 - Azure active directory login activities: This report will provide information for user login activities from various Microsoft 365 application which are using the Azure active directory as the authentication server. • Microsoft 365 - Email activity user counts: This report will provide an overall summary for email activities in the Microsoft 365 Exchange server. (Receive, send, read) • Microsoft 365 - Email app usage user counts: This report will provide an overall summary for application which user is using for sending/receiving the mail. (Outlook, IMAP, POP3, etc.) • Microsoft 365 - Email app usage user detail: This report will provide information related to the user using application for sending/receiving the mail. • Microsoft 365 - Email app usage version user counts: This report will provide an overall summary for version usage of email client by a user. (Outlook 2016, Outlook 2013, etc.)

• Microsoft 365 - Exchange admin activities: This report will provide detailed information for admin activities done for Microsoft 365 Exchange like permission changes on a mailbox, mailbox creation, deletion, or modification, etc. • Microsoft 365 - Exchange mail Traffic Details: This report will provide you an overall summary related to mail which matches transport rules (BCL0, BCL1, bad mail, good mail, spam mail, etc.) of Exchange. (This KP items is not available for GCC, GCC High or Dod Microsoft 365 subscription.) • Microsoft 365 - Exchange mailbox login activities: This report will provide detailed information related to mailbox login activities. • Microsoft 365 - Exchange message trace details: This report will provide detailed information of mail receiving/sending by Exchange users. If sending of some mails fails, then this report will provide the reason for failure. (This KP items is not available for GCC, GCC High or Dod Microsoft 365 subscription.) • Microsoft 365 - Exchange spam mail traffic details: This report will provide detailed information on spam mail received by Exchange users. (This KP items is not available for GCC, GCC High or Dod Microsoft 365 subscription) • Microsoft 365 - Mailbox storage usage: This report will provide an overall summary for storage used by Microsoft 365 Exchange mailbox. • Microsoft 365 - Mailbox usage detail: This report will provide information for storage used by Microsoft 365 Exchange mailbox for each user. • Microsoft 365 - Mailbox usage mailbox counts: This report will provide information for active mailbox count. • Microsoft 365 - Mailbox usage quota status mailbox counts: This report will provide an overall summary for mailbox who reached their mailbox usage quota. • Microsoft 365 - Microsoft 365 activation user counts: This report will provide a summary for Microsoft 365 license usage. • Microsoft 365 - Microsoft activity file counts: This report will provide a count of OneDrive activities (viewed or edited, shared externally, synced, shared internally) done on files. • Microsoft 365 - OneDrive activity user counts: This report will provide a count of OneDrive activities (viewed or edited, shared externally, synced, shared internally) done by the user. • Microsoft 365 - OneDrive file operations: This report will provide detailed information of activities that happened on OneDrive like file uploaded, downloaded, edited, accessed, shared, etc. • Microsoft 365 - OneDrive usage account counts: This report will provide a summary of users who are actively using OneDrive. • Microsoft 365 - OneDrive usage account detail: This report will provide a summary of users who are using OneDrive and count of activities they are doing. • Microsoft 365 - OneDrive usage file counts: This report will provide the total file used by user on OneDrive. • Microsoft 365 - OneDrive usage storage: This report will provide summary of storage used by OneDrive. • Microsoft 365 - SharePoint activity user details: This report will provide activities count done by a user in Microsoft 365 SharePoint.

• Microsoft 365 - SharePoint site operations: This report will provide details information on activities happening on Microsoft 365 SharePoint. • Microsoft 365 - SharePoint site storage usage: This report will provide a summary of storage used by SharePoint sites. • Microsoft 365 - Skype for business activity user detail: This report will provide a summary of the activities (peer to peer, conference session, etc.) in Skype of business. • Microsoft 365 - Skype for business device usage user detail: This report will provide a summary of devices used by a user for doing Skype for business activities. • Microsoft 365 - Skype for business peer to peer activity user counts: This report will provide a summary for peer-to-peer activities (IM, audio, video, file transfer, app sharing) in Skype for business. • Microsoft 365 - Threat intelligence activities: This report will provide detailed information related to threats detected by Microsoft 365 ATP. • Microsoft 365 – Teams Login Success: This report will provide detailed information related to successful login in Teams. • Microsoft 365 – Teams Operation on members: This report will provide detailed information related to operation performed on team member in Teams. • Microsoft 365 – Teams Team and Connector Activity: This report will provide detailed information related to all the activities performed on Team and connectors. • Microsoft 365 – Teams External Users Detected in Team: This report will provide detailed information about any external user detected in Teams. • Microsoft 365 – Teams Channel and Tab Operation: This report will provide detailed information related to activities related to channel and tabs in Teams. • Microsoft 365 - DLP activities: This report will provide information related to DLP activities which contains information about rule name, application, and severity etc.

• Microsoft365 - User login failed due to MFA activities: This report will provide information related to user failed to satisfy strong authentication requirement to login which contains information about Username, Application, and Source IP address etc. • Microsoft365 - User MFA activities: This report will provide information related to MFA enable and disable activities for user which contains information about Username, Target Username, and Action etc. • Microsoft 365 - CAS alert triggered – This report will provide information related to the Cloud App Security alert activities like unusual addition of credential to an OAuth app, Block downloads on non- domain joined devices, etc. It will contain filed information username, reason, category, log type, message, etc.

6.3 Dashboard • Microsoft 365 – Exchange Top Sender (This KP items is not available for GCC, GCC High or Dod Microsoft 365 subscription.)

• Microsoft 365 – Exchange Top Spam mail by Sender (This KP items is not available for GCC, GCC High or Dod Microsoft 365 subscription.)

• Microsoft 365 – Exchange Admin Activities by User

• Microsoft 365 – Exchange Top Recipient (This KP items is not available for GCC, GCC High or Dod Microsoft 365 subscription.)

• Microsoft 365 – Exchange mail traffic trend (This KP items is not available for GCC, GCC High or Dod Microsoft 365 subscription.)

• Microsoft 365 – ATP Top Malware Detected detail

• Microsoft 365 – ATP User Affected by Threat

• Microsoft 365 – ATP Threat Category

• Microsoft 365 – ATP Threat Detection Method

• Microsoft 365 – ATP Suspicious Sender

• Microsoft 365 – Azure Active Directory Login failure

• Microsoft 365 – Azure Active Directory Events

• Microsoft 365 – Azure Active Directory Login Activities

• Microsoft 365 – Azure Active Directory login failed by location

• Microsoft 365 – Azure Active Directory Login by user

• Microsoft 365 – OneDrive Activities by Operation

• Microsoft 365 – OneDrive Activities by File Type

• Microsoft 365 – OneDrive Activities by Resource Type

• Microsoft 365 – SharePoint Activities

• Microsoft 365 – SharePoint Activities by User

• Microsoft 365 – SharePoint Activities by User Agent

• Microsoft 365: Teams Login Success

• Microsoft 365: Teams User Login by Geolocation

• Microsoft 365: Teams Device Type Used

• Microsoft 365: Teams Login Per Day

• Microsoft 365: Teams Operation related to Membership

• Microsoft 365: Teams External Users Detected in Teams

• Microsoft 365: Teams Channel and Tab Activity

• Microsoft 365: Teams Team and Connector Activity

• Microsoft 365: DLP activities by policy name

• Microsoft 365: DLP activities by mail subject

• Microsoft 365: DLP activities by Severity

• Microsoft 365: DLP activities by sensitive information type name

• Microsoft 365 - User MFA activities by Username

• Microsoft 365 – CAS alert triggered by category

• Microsoft 365 – CAS alert triggered by alert type

• Microsoft 365 – CAS alert triggered by username

• Microsoft 365 – CAS suspicious activity by username

7. Importing Knowledge Pack into EventTracker Follow the below steps to import the knowledge pack into EventTracker:

1. Launch the EventTracker Control Panel.

2. Double click Export/Import Utility, and click the Import tab.

3. Import Tokens/ Reports as given below.

7.1 Alerts 1. Click the Alert option and click Browse .

2. Locate Alerts_ Microsoft 365.isalt file and click Open. 3. To import alerts, click Import. EventTracker displays a success message.

4. Click OK and click Close. 7.2 Knowledge Objects 1. Click Knowledge objects under the Admin option in the EventTracker manager page. 2. Locate the file named KO_ Microsoft 365.etko.

3. Select all the checkbox and click Import option.

4. Knowledge objects are now imported successfully.

7.3 Reports 1. Click Reports option and select new (.etcrx) from the option.

2. Locate the file named Flex Reports_ Microsoft 365.etcrx and select all the checkbox.

3. Click Import to import the reports. EventTracker displays a success message.

7.4 Dashlets In EventTracker 9.0, we have added a new feature which helps to import/export dashlets. Following is the procedure:

1. Login into EventTracker Web console.

2. Go to My Dashboard option.

3. Click import and select .etwd File.

4. Click upload and select Dashboard you want to import.

5. Click Import. It uploads all the selected dashboards.

8. Verifying Knowledge Pack in EventTracker 8.1 Alerts 1. Logon to EventTracker. 2. Click the Admin menu and click Alerts.

3. In the Search box, type Microsoft 365, and click Go. Alert Management page displays all the imported alerts.

4. To activate the imported alerts, select the respective checkbox in the Active column.

EventTracker displays a message box.

5. Click OK and click Activate Now.

NOTE: Specify appropriate systems in an alert configuration for better performance.

8.2 Knowledge Object 1. Logon to EventTracker. 2. Click the Admin menu, and then click the Knowledge Object. 3. In Knowledge Object Group Tree to view imported knowledge object, scroll down and click the Microsoft 365 group folder.

4. Knowledge Object is displayed in the pane.

8.3 Reports 1. Logon to EventTracker. 2. Click the Reports menu and click Configuration. 3. Select Defined in report type. 4. In Report Groups Tree to view imported Scheduled Reports, scroll down and click the Microsoft 365 group folder.

5. Reports are displayed in the Reports configuration pane.

8.4 Dashlets 1. Logon to EventTracker. 2. Click the Dashboard menu and click My Dashboard.

3. Click Customize Dashlet and search for Microsoft 365.

About Netsurion Flexibility and security within the IT environment are two of the most important factors driving business today. Netsurion’s cybersecurity platforms enable companies to deliver on both. Netsurion’s approach of combining purpose-built technology and an ISO-certified security operations center gives customers the ultimate flexibility to adapt and grow, all while maintaining a secure environment. Netsurion’s EventTracker cyber threat protection platform provides SIEM, endpoint protection, vulnerability scanning, intrusion detection and more; all delivered as a managed or co-managed service. Netsurion’s BranchSDO delivers purpose-built technology with optional levels of managed services to multi- location businesses that optimize network security, agility, resilience, and compliance for branch locations. Whether you need technology with a guiding hand or a complete outsourcing solution, Netsurion has the model to help drive your business forward. To learn more visit netsurion.com or follow us on Twitter or LinkedIn. Netsurion is #19 among MSSP Alert’s 2020 Top 250 MSSPs.

Contact Us Corporate Headquarters Netsurion Trade Centre South 100 W. Cypress Creek Rd Suite 530 Fort Lauderdale, FL 33309

Contact Numbers EventTracker Enterprise SOC: 877-333-1433 (Option 2) EventTracker Enterprise for MSP’s SOC: 877-333-1433 (Option 3) EventTracker Essentials SOC: 877-333-1433 (Option 4) EventTracker Software Support: 877-333-1433 (Option 5) https://www.netsurion.com/eventtracker-support